[JBoss JIRA] Created: (GTNPORTAL-2143) Wrong configuration for Mixed Layout container
by Vu Viet Phuong (JIRA)
Wrong configuration for Mixed Layout container
----------------------------------------------
Key: GTNPORTAL-2143
URL: https://issues.jboss.org/browse/GTNPORTAL-2143
Project: GateIn Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: 3.2.0-M01
Reporter: Vu Viet Phuong
Assignee: Vu Viet Phuong
- Login as Root, edit a page
- DnD a Mixed Layout container
- Drag a column in that container, but can drop it to origin position
That cause by wrong configuration for Mixed Layout Container in GATEIN/web/portal/src/main/webapp/WEB-INF/conf/uiconf/portal/webui/container/ContainerConfigOption.groovy
should use UIColumnContainer.gtmpl instead of UIContainer.gtmpl for the table column container in the mixed layout container
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 9 months
[JBoss JIRA] Created: (GTNPORTAL-2073) XSS encoding in UIFormTextAreaInput.java
by Honza Fnukal (JIRA)
XSS encoding in UIFormTextAreaInput.java
----------------------------------------
Key: GTNPORTAL-2073
URL: https://issues.jboss.org/browse/GTNPORTAL-2073
Project: GateIn Portal
Issue Type: Enhancement
Security Level: Public (Everyone can see)
Reporter: Honza Fnukal
Fight place where to encode value is when rendering as this is UI component responsibility.
This component is used by many others, and some pass value encoded, some not.
Eg:
In UIGadgetEditor is this method and it encodes value, this cause double encoding:
public void processRender(WebuiRequestContext context) throws Exception
{
UIFormTextAreaInput uiInputSource = getUIFormTextAreaInput(FIELD_SOURCE);
UIFormStringInput uiInputName = getUIStringInput(FIELD_NAME);
String encoded = StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(uiInputSource.getValue()));
uiInputSource.setValue(encoded);
if(this.isEdit()) { uiInputName.setEditable(false); }
super.processRender(context);
}
There is probably more code like this, I thin the best is clean it up here.
Unfortunately it is probably in SP in similar way too. If we disable encoding in UIFormTextAreaInput, it will fix double encoding, but enable XSS where it is not encoded.
This task track such places and remove encoding from other places.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 9 months